News, events, publications

EDA-DPR-043 - Whistleblowing procedure

Records and compliance checklist

Under Article 31 of the new Regulation, EUIs have to keep records of their processing operations. This template covers two aspects:

1.Mandatory records under Article 31 of the new rules (recommendation: publicly available)
2.Compliance check and risk screening (internal).

The header and part 1 should be publicly available; part 2 is internal to the EUI. By way of example, column 3 contains a hypothetical record on badges and physical access control in a EUI.
Nr Item Explanation
Header - versioning and reference numbers (recommendation: publicly available)
1. Last update of this record 05-09-2022
2. Reference number EDA-DPO-043 - Whistleblowing procedure
part 1 - article 31 record (recommendation: publicly available)
3. Name and contact details of controller
European Defence Agency

Rue des Drapiers 17-23
B-1050 Brussels
4. Name and contact details of DPO

Head of the Legal Office, Legal Advisor / Data Protection Mr Pedro ROSA PLAZA

5. Name and contact details of joint controller (where applicable)
6. Name and contact details of processor (where applicable)
7. Purpose of the processing
The purpose of this processing operation is to enable the reporting of illegal activity, fraud, corruption or other serious professional misconduct in EDA, to establish reporting channels for whistleblowers, to manage and follow-up reports, and to set out the rights and duties of the whistleblower. It also aims to ensure that the Agency protects the whistleblower's legitimate interests and privacy as well as the personal information of the person(s) named by the whistleblower, witnesses and other third parties appearing in the whistleblowing report.
8. Description of categories of persons whose data EDA processes and list of data categories

Data are processed from the following individuals or group of people:

  • Staff members (temporary staff, contract staff, SNEs);
  • Persons involved in the whistleblowing procedure, incl. the whistleblower, persons named by the whistleblower, witnesses, other third parties appearing the whistleblowing report.

Data processed are the following:

  • All personal data contained in the report submitted by the whistleblower and any subsequent documents handled in the concrete case;
  • These documents may contain names, contact details and other identifiers of the persons involved;
  • Data received but not needed for examining the allegations will be erased from the report.
9. Time limit for keeping the data

For files that are closed without follow-up, data will be retained for a maximum of 2 months after completion of investigation of the facts alleged in the whistleblower’s report.

For files that lead to a follow-up (internal investigations, disciplinary procedure) data will be retained for period of time stipulated by these follow-up procedures. A final report, containing anonymised data only, may be kept for an unlimited time.

EDA may retain anonymous data for statistical purposes. EDA pays particular attention to preserve anonymity of personal data for these purposes, especially to all the measures necessary to avoid indirect identification.

10. Recipients of the data

The recipients are determined on a case-by-case basis. Personal information is transferred only if necessary for the legitimate performance of tasks covered by the competence of the recipient. The recipient of the whistleblowing information, namely the superior, shall transmit it to the Legal Advisor for confidential processing. The identity of the whistleblower and of person(s) named by the whistleblower or other third parties shall be kept confidential. Recipients may be:

  • Head of Unit concerned • Legal Advisor
  • Human Resources Unit • Investigators
  • Members of the Disciplinary Board • Senior Management
  • OLAF in accordance to Article 4.1 of the Decision 16/04 of 22 February 2016.

EDA will ensure, through a case-by-case review, that the transfer of personal data is not automatic but will only take place when and as necessary for the legitimate performance of the tasks under the recipient’s competence Involvement of staff in the whistleblowing procedure must be strictly limited on a need-to-know basis and only when necessary for the legitimate performance of tasks covered by the competence of the recipient.

11. Are there any transfers of personal data to third countries or international organisations? If so, to which ones and with which safeguards?
12. General description of security measures, where possible.
Data storage by means of paper filing in locked cupboards of authorized recipient(s). Electronic documents are stored in shared drive with access to authorized person(s) only (password protected). Exchange of emails are strictly limited to authorised recipients on a need to know basis and treated through confidential emails that contain only strictly relevant data. If sensitive information has to be exchanged with the external partners mentioned among the list of recipients, IT shall provide, upon request, certificates (Public/private keys) externally recognised to encrypt and/or sign that information. The personal data are used solely for the purpose for which it was provided, namely the whistleblowing procedure and any subsequent procedures directly triggered by it, such as internal investigations and disciplinary procedures.
13. For more information, including how to exercise your rights to access, rectification, object and data portability (where applicable), see the privacy statement
Additional information is available by following the link to privacy statement here.